From: Kees Cook <keescook@chromium.org>
To: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Marios Pomonis <pomonis@google.com>,
Alexander Lobakin <alexandr.lobakin@intel.com>,
Kristen C Accardi <kristen.c.accardi@intel.com>,
Sami Tolvanen <samitolvanen@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
"H. Peter Anvin" <hpa@zytor.com>,
Peter Zijlstra <peterz@infradead.org>,
Ivan Babrou <ivan@cloudflare.com>,
Jiri Slaby <jirislaby@kernel.org>,
Julien Thierry <jthierry@redhat.com>,
linux-kernel@vger.kernel.org, x86@kernel.org,
linux-hardening@vger.kernel.org,
Masami Hiramatsu <mhiramat@kernel.org>
Subject: Re: [PATCH] x86/unwind/orc: Handle kretprobes_trampoline
Date: Wed, 13 Oct 2021 21:52:36 -0700 [thread overview]
Message-ID: <202110132151.F78F49AD8@keescook> (raw)
In-Reply-To: <20211014014101.6du6jj2o7g4ficu5@treble>
On Wed, Oct 13, 2021 at 06:41:01PM -0700, Josh Poimboeuf wrote:
> On Mon, Oct 11, 2021 at 02:03:26PM -0700, Kees Cook wrote:
> > On Thu, Sep 02, 2021 at 07:13:26PM -0700, Kees Cook wrote:
> > > From: Marios Pomonis <pomonis@google.com>
> > >
> > > Fix a bug in the ORC unwinder when kretprobes has replaced a return
> > > address with the address of `kretprobes_trampoline'. ORC mistakenly
> > > assumes that the address in the stack is a return address and decrements
> > > it by 1 in order to find the proper depth of the next frame.
> > >
> > > This issue was discovered while testing the FG-KASLR series[0][1] and
> > > running the live patching test[2] that was originally failing[3].
> > >
> > > [0] https://lore.kernel.org/kernel-hardening/20200923173905.11219-1-kristen@linux.intel.com/
> > > [1] https://github.com/KSPP/linux/issues/132
> > > [2] https://github.com/lpechacek/qa_test_klp
> > > [3] https://lore.kernel.org/lkml/alpine.LSU.2.21.2009251450260.13615@pobox.suse.cz/
> > >
> > > Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder")
> > > Signed-off-by: Marios Pomonis <pomonis@google.com>
> > > Cc: Josh Poimboeuf <jpoimboe@redhat.com>
> > > Cc: Alexander Lobakin <alexandr.lobakin@intel.com>
> > > Cc: Kristen C Accardi <kristen.c.accardi@intel.com>
> > > Cc: Sami Tolvanen <samitolvanen@google.com>
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> >
> > Ping again; Josh can you take this please?
>
> I'm confused how this still fixes anything after Masami's patch set,
> which is now in linux-next.
>
> After those patches, for a CALL-type ORC entry, the unwinder sets
> state->ip to the address returned by unwind_recover_ret_addr(). In the
> case of a kretprobe, that means that state->ip will no longer point to
> kretprobes_trampoline() -- making the above patch description incorrect.
>
> Instead, state->ip will then contain the original call return address
> which was replaced by kretpobes. So it looks to the unwinder like a
> normal call return address, and 'state->signal' should remain false.
>
> Am I missing something?
I'll let Marios answer in more detail, but my understanding is that
Masami's patch set didn't solve the FGKASLR-vs-kretprobes issue[1].
I don't understand _why_ yet, though.
-Kees
[1] https://lore.kernel.org/all/CAKXAmdgS3SL_qyjzjY32_DXe3WVTN+O=wYwJ9vkUXKhjmt87fA@mail.gmail.com/
--
Kees Cook
next prev parent reply other threads:[~2021-10-14 4:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-03 2:13 [PATCH] x86/unwind/orc: Handle kretprobes_trampoline Kees Cook
2021-09-04 17:55 ` Josh Poimboeuf
2021-09-05 7:57 ` Masami Hiramatsu
2021-09-24 17:17 ` Marios Pomonis
2021-10-11 21:03 ` Kees Cook
2021-10-14 1:41 ` Josh Poimboeuf
2021-10-14 4:52 ` Kees Cook [this message]
2021-10-14 10:16 ` Masami Hiramatsu
2021-10-21 15:13 ` Masami Hiramatsu
2021-10-29 18:19 ` Marios Pomonis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202110132151.F78F49AD8@keescook \
--to=keescook@chromium.org \
--cc=alexandr.lobakin@intel.com \
--cc=bp@alien8.de \
--cc=hpa@zytor.com \
--cc=ivan@cloudflare.com \
--cc=jirislaby@kernel.org \
--cc=jpoimboe@redhat.com \
--cc=jthierry@redhat.com \
--cc=kristen.c.accardi@intel.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=pomonis@google.com \
--cc=samitolvanen@google.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.